Ever since the American Institute of Certified Public Accountants (AICPA) designed the System and Organization Controls 2 (SOC 2) for Service Organizations, only Certified Public Accountants (CPAs) and CPA firms are qualified to conduct SOC 2 audits. However, many layers underlie this role. This article will discuss how you can choose an auditor and their respective responsibilities.
As per the AICPA’s guidelines, auditors are required to:
Comply with AICPA's standards
Adhere to the latest guidelines to plan, execute, and supervise audit procedures
Undergo peer reviews to attest their credentials and the validity of the audits
Role Of A SOC 2 Auditor
The role of a SOC 2 expert is to evaluate how effective your infosec posture is and determine whether your internal controls meet the prerequisites of your chosen Trust Service Criteria (TSC) or not.
Trust Service Criteria or TSCs comprise five elements; Security, Availability, Processing integrity, confidentiality, and Privacy.
Security TSC helps in safeguarding the information and systems against unauthorized access and disclosure of details.
Availability TSC demonstrates that information and systems should meet the organization's service objectives mentioned in SLAs to ensure the system and infrastructure is available to the right people at the right time.
Processing integrity TSC focuses on how systems should perform their functions thoroughly and accurately to meet the organization's objectives.
Confidentiality TSC focuses on encrypting the data so no one uses, retains, or discloses clients' data or information.
Privacy TSC focuses on making sure that the information is collected and used in the way that the organization has agreed to use it.
The responsibilities of the chosen auditor are not limited to assessing and evaluating the internal controls. These three points state the lifecycle of an auditor’s role after considering the TSCs selected by your organization.
1. Irrespective of the SOC 2 report type (SOC 1 Type1 or SOC 2 Type 2) you choose, the auditor will spend a few weeks working with your team to understand your security controls, risk management approach, IT infrastructure policies, and procedures before producing a SOC 2 report.
2. The auditor reviews the evidence about your control environment to understand the design of controls to evaluate their operating effectiveness.
3. After evidence collection, the auditor creates a detailed report summarizing the results and the auditor's final opinion.
Note: In SOC 2 report, an unqualified report means you passed your audit. That means the controls your auditor tested were designed and operating as they should. In comparison, a qualified report means you failed your audit. That means the controls your auditor tested weren't prepared or running as required.
4. The final report includes a description of the audit scope, test results, remediation requirements, and a list of any security issues uncovered during the audit, along with management assertion, which allows your organization to make claims about their systems and controls.
Choosing The Right CPA For SOC 2 Audit
Working with unprofessional, less experienced SOC 2 auditors will create unnecessary hassle in the audit process. Here are a few pointers that can help you in picking the right auditor to work with:
An AICPA affiliate or a CPA must perform a SOC 2 audit. Organizations must only engage with an independent SOC2 auditor or assessor to conduct an audit and receive a SOC 2 certification.
Choose a CPA who has performed similar SOC 2 audits and assessments and worked with similar companies in the same industry.
3. Communication Style
Many auditing firms deliver excellent work and match your financial goals, but all of that goes in vain when there's miscommunication. So, choose an auditing firm that fits your communication style.
4. Knowledge of tech stack
Choose an auditing firm that understands the tools you use. It will enable them to test the controls comprehensively and help you collect the proper evidence with reduced effort.
If you are tight on budget, choose a CPA firm that matches your financial goals. That being said, low costs often are accompanied by hidden, more often than not, substantial costs. If the low-cost auditor can't adhere to the timelines for the audit, critical for a customer sale, it might lead to lost sales.
The thumb rule is to understand how an auditor approaches the process. Try and understand how the auditor will execute the audit and interpret the policies and controls.
7. Team availability and escalation SLA
Check if the auditing team has enough resources to process the audit. To minimize the bill of goods, make sure you ask the auditing firm the below questions:
• What's your average SLA on response time?
• How is your escalation process?
Start your compliance journey with us!
Scrut Automation is a smart and radically simple Governance, Risk, and Compliance automation platform for growing startups and mid-market enterprises. With Scrut, Compliance teams can reduce ~70% of their manual effort in continuously maintaining compliance towards SOC 2, ISO 27001, GDPR, PCI DSS, and privacy laws like HIPAA, GDPR, and CCPA. Schedule your demo today to see how it works.